In this email, Comodo discloses the security issue to Mozilla. The email was sent 26 days after researchers Florian Heinz and Martin Kluge of Vautron Rechenzentrum AG informed them of the bug.
Comodo clearly states that they used OCR for .eu and .be domains because the TLD registrars redacted their port 43 WHOIS data, and only provided an image of an email address on their web WHOIS pages. There was apparently no other way to obtain the email address.
Rather than flag humans to fix OCR in ambiguous situations, they had automated heuristics to correct the OCR, as determined by the security researchers. However, the heuristics chose the wrong output for the domain @a1telekom.at, producing @altelekom.at (an L instead of a one). The researchers registered altelekom.at and obtained a cert for a domain owned by A1 Telekom, a major ISP.
There is an accusation in the comment thread of the article that Comodo only disclosed this issue to Mozilla after it was reported publicly by the news media.
> steffen 2016-10-20 08:35:58 PDT
> In fact, the linked incident report refers to the heise article I also linked. So Comodo chose to "publish" this immediately after it was made public by others. That would be quite a coincidence. This raises the question of whether Comodo would've informed Mozilla at all if the media hadn't picked up on it.
A lone security researcher can find a bug and write it and share up a lot more quickly than corporation.
Corp has to write, test, verify, share internally, review and approve before it can be released. Bureaucracy. They also needed to patch their systems too.
Ryan Sleevi (Google) asked the question, and Robin Alden (Comodo) stated a reasonable timeline. There is no conspiracy here.
In this email, Comodo discloses the security issue to Mozilla. The email was sent 26 days after researchers Florian Heinz and Martin Kluge of Vautron Rechenzentrum AG informed them of the bug.
Comodo clearly states that they used OCR for .eu and .be domains because the TLD registrars redacted their port 43 WHOIS data, and only provided an image of an email address on their web WHOIS pages. There was apparently no other way to obtain the email address.
Rather than flag humans to fix OCR in ambiguous situations, they had automated heuristics to correct the OCR, as determined by the security researchers. However, the heuristics chose the wrong output for the domain @a1telekom.at, producing @altelekom.at (an L instead of a one). The researchers registered altelekom.at and obtained a cert for a domain owned by A1 Telekom, a major ISP.